# Day 22

#### Task 28 — Kubernetes DFIR Day 22: It's because I'm kubed, isn't it? <a href="#id-8d94" id="id-8d94"></a>

**1. What is the name of the web shell that was used by Mayor Malware?**

1. Start the Machine, Open a Terminal, and type the following command to start the minikube. `minikube start`
2. To list the pods type this command — `kubectl get pods -n wareville`
3. Type the below command to connect with a specific pod `kubectl exec -n wareville naughty-or-nice -it — /bin/bash`
4. Once Connected type `cat /var/log/apache2/access.log | tail`and observe the file at the end.

```makefile
CopyAns: shelly.php
```

**2. What file did Mayor Malware read from the pod?**

Type this command to read the error log — `cat /var/log/apache2/error.log`

```makefile
CopyAns: db.php
```

**3. What tool did Mayor Malware search for that could be used to create a remote connection from the pod?**

Probably `nc` ( netcat ) is used to obtain a remote connection.

```makefile
CopyAns: nc
```

**4. What IP connected to the docker registry that was unexpected?**

1. Type `exit` command to exit from the docker instance.
2. In your terminal type `cd ~/dfir_artefacts`
3. Use the below command to find the IP `cat docker-registry-logs.log | grep "HEAD" | cut -d ' ' -f 1`

```makefile
CopyAns: 10.10.130.253
```

**5. At what time is the first connection made from this IP to the docker registry?**

Type the below command to display the Oldest log related to the IP

```bash
Copycat docker-registry-logs.log | grep "10.10.130.253" | head
Ans: 29/Oct/2024:10:06:33 +0000
```

**6. At what time is the updated malicious image pushed to the registry?**

Use the Below command to find the time of the image push to registry

`cat docker-registry-logs.log | grep "10.10.130.253" | grep "PATCH"`

```makefile
CopyAns: 29/Oct/2024:12:34:28 +0000
```

**7. What is the value stored in the "pull-creds" secret?**

Type the below command to get the pull-creds secret from wareville

```kotlin
Copykubectl get secret pull-creds -n wareville -o jsonpath='{.data.\.dockerconfigjson}' | base64 — decode
Ans: {"auths":{"http://docker-registry.nicetown.loc:5000":{"username":"mr.nice","password":"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://foothold.gitbook.io/blog/advent-of-cyber-2024/day-22.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.